Code injection attacks exploit “bugs” within computer programs for the purpose of injecting code into the program and changing its course of execution. The “bugs” exploited by code injection attacks typically are the result of a failure to appreciate a possible input or the confusion of user input with system commands. Code injection attacks often have disastrous consequences and are commonly utilized by malicious programs, such as computer worms.
Detecting the presence of injected code is often the key to detecting a code injection attack. One technique for detecting injected code involves examining data (e.g., data from a network stream or process buffer) and executing its content while performing forensic analysis. In order to allow for effective monitoring, such a technique often utilizes a software-based central processing unit (CPU) emulator to perform the execution. The use of software-based CPU emulators for executing data associated with suspected injected code is, however, susceptible to evasive attacks that exploit discrepancies between the emulated CPU and an actual hardware CPU.
Computer virtualization or hardware virtualization is the full or partial simulation of a computer or computing platform (“virtual” or “guest” machine) by an actual computer or computing platform (“host” machine). The software or firmware on the “host” machine that manages the “virtual” machine is commonly referred to as a “hypervisor.” Virtualization is often associated with both hardware and administrative efficiency and is being increasingly employed for a wide range of applications.
One aspect of hardware virtualization is its ability to provide a platform for monitoring execution that, unlike that supported by a software emulated CPU, occurs directly on the hardware. Executing data associated with suspected injected code on virtualized hardware may therefore enable forensic analysis of the code while eliminating vulnerabilities introduced by software-based CPU emulation.
Accordingly, a need exists for methods, systems, and computer readable media for detecting injected machine code.